The system must notify the users whenever their authentication details or other security settings are changed.
Most systems allow their users to modify relevant information, such as access credentials and contact data. Users should be notified whenever any of these or other security settings are modified, as it could be a part of several types of attacks, e.g., account takeover attacks.
This requirement is verified in following services:
- CWE-620. Unverified password change
- NIST 800-53-AC-2_4. Automated audit actions
- OWASP TOP 10-A7. Identification and authentication failures
- NIST Framework-DE_DP-4. Event detection information is communicated
- BIZEC-APP-APP-06. Direct database modifications
- CCPA-1798_106. Consumer's right to correct inaccurate personal information
- CCPA-1798_121. Consumer's right to limit use and disclosure of sensitive personal information
- FCRA-604-E_5. Notification system
- PDPA-6A_26B. Notifiable data breaches
- PDPA-6A_26D. Duty to notify occurrence of notifiable data breach
- CMMC-AC_L2-3_1_9. Privacy & security notices
- CMMC-AU_L2-3_3_4. Audit failure alerting
- CMMC-CM_L2-3_4_3. System change management
- HITRUST CSF-13_n. Participation and redress
- FedRAMP-SI-5. Security alerts, advisories, and directives
- LGPD-9_VII-2. Personal data subject's right of access
- ISA/IEC 62443-IAC-1_12. System use notification
- OWASP SCP-3. Authentication and password management
- BSAFSS-VN_3-2. Vulnerability notification and patching (updates are accompanied by advisory messages)
- OWASP ASVS-2_5_5. Credential recovery
- C2M2-8_3_e. Assign cybersecurity responsibilities
- SIG Lite-SL_65. s there a process to ensure clients are notified prior to changes being made which may impact their service?
- SIG Lite-SL_90. Are change control procedures required for all changes to the production environment?
- SIG Core-G_2_10_2. Operations management